Workarounds, cheat codes, and occasional black magic

Imprivata: How to Display SSO User in BGinfo on a Kiosk

BGinfo, in case you’re by some chance unfamiliar, is a Microsoft utility for displaying session information on the wallpaper. It is often used on both servers and desktops for the purpose of quickly identifying the current Windows user, the name of the machine, and any other handy information one might want to have at hand. However, in one of Imprivata’s most common use cases, a generic account is used to enter the Windows environment, while a type-2 (kiosk) OneSign agent acts as an authentication gateway for each SSO user who shares that machine.

In this scenario, displaying the currently logged-in Windows user in BGInfo is a bit of a moot point, as it will always be the same for everyone. It doesn’t give any actual indication as to who is presently using the device. The problem is that, by default, there is no environment variable or single point for BGinfo to reference in order to display the current SSO user–that is, the one who just authenticated to Imprivata. Thankfully though, it’s not hard to set this up.

The Extension Object

You’re going to need an extension object, set to run when a session is unlocked. While you have the option to use the setx command to set an environment variable, this is not necessarily the best way to go. In my experience, using this method tends to have some timing issues with respect to the first time BGinfo runs and attempts to reference it, and I have seen this fail in more ways than one. Sometimes it just reliably failed on BGinfo’s first execution of the session, while it worked every subsequent time. In other cases, it failed consistently no matter which attempt you were on.

The more reliable option is to store the SSO User in the registry. The location of the string can be completely arbitrary, but I would strongly encourage using the HKEY Current User hive so you can keep your generic Windows login as far away from admin privileges as possible. The extension object is quite simple — here’s an example:

This will store a string value called SSOUser (which will contain the username of the person who just authenticated to Imprivata) in the HKCU\Software\SSO key. This key will not exist by default, as I just invented it for the sake of this post–you can choose to store it wherever you’d like. You may also want to run BGinfo from this extension object as well. Doing so will ensure the timing of BGinfo’s forthcoming registry reference is consistent–that is, you can be certain that BGinfo will run only after the registry is changed. Which brings me to the next point:

The .bgi File

This part is simple. BGinfo allows you to set any custom fields you’d like using the “Custom” button on the right. Simply hit that button, then “New,” and choose an identifier for your field (Might I recommend SSOUser?)

“Replace identifier with” a registry value (you won’t need to tick the 64bit checkbox unless you made things weirdly hard on yourself in the last step), and enter the path to the value you set earlier–HKEY_CURRENT_USER\Software\SSO\SSOUser in my example. Click “OK” and then “OK” again, and add the field you just created to your configuration, either by clicking the identifier in the box on the right and choosing “Add” or simply by typing its name between < and >, or <SSOUSER> in my example.

—

Now just save your .bgi file, put it in a place everyone can access it, and use its path as a parameter when you run the BGInfo executable. Let me know if this was helpful!

4 thoughts on “Imprivata: How to Display SSO User in BGinfo on a Kiosk”

Working with OneSign 4.9 and having issues with the XO adding the string to the registry. I have played with the quotes but still having issues. I followed the tutorial but it seems like the registry is not updating. I made sure the kiosk account has full control over the SSO key in the registry.